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ABSTRACT 



Methods, signals, devices, and systems are provided for 
secure access to a network from an external client. Requests 
for access to confidential data may be redirected from a 
target server to a border server, after which a secure sockets 
layer connection between the border server and the external 
client carries user authentication information. After the user 
is authenticated to the network, requests may be redirected 
back to the original target server. Web pages sent from the 
target server to the external client are scanned for non -secure 
URLs such as those containing "http://" and modified to 
make them secure. The target server and the border server 
utilize various combinations of secure and non-secure 
caches. Although tunneling may be used, the extensive 
configuration management burdens imposed by virtual pri- 
vate networks are not required. 

30 Claims, 4 Drawing Sheets 
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SECURE INTRANET ACCESS ID and/or password; Novell/NetWare Directory Service 

(NDS) and user access controls; Windows NT Domain 

FIELD OF THE INVENTION directory; Reverse Proxy/Virtual Hosting; a proxy server 

with HTTP caching; use of a proxy server by configuring 

The present invention relates to computer network 5 client software l0 con nect through the proxy server to 

security, and more particularly to the task of providing a user prevent the client from being connected directly to the 

who is presently at a client machine outside the perimeter of Internet; SSL encryption; an entry manager which serves as 

a secure network with convenient, efficient, and secure a single point of network entry for all users; a Trusted 

access to data stored on a target server which is located Sendmail Proxy, in the context of sensitivity labels and 

within the secure network. privileges, including a small, trusted program which acts as 

a communication path between an inside compartment that 

TECHNICAL BACKGROUND OF THE performs privileged internal operations and delivers local 

INVENTION messages and an outside compartment that collects and send 

Distributed computing systems are becoming increasingly messages without privilege; a secured https proxy which 

useful and prevalent. Distributed computers are now con- 15 a PP a ™tly does SSL tunneling, logging, and reacting to 

ncctcd by local area networks, wide area networks, and events; software which apparently allows use of https URLs 

networks of networks, such as the Internet. Many such h J wa yf an u SSL connection wUh a program that wraps 

networks are secured with a security perimeter which is https calls to http; a protocol stream or content processor 

defined by firewall software, routing limitations, encryption, which *aows how to convert something involving an URL 

virtual private networks, and/or other means. Machines 20 irUo » ^propnclary content container « kn^s its content 

within the security perimeter are given ready access to data an L d that s for HTITjmPS, FTP, gopher, and 

stored in the secure network (possibly subject to user and other P r0 '°^ Si redirectl0n of HTTP requests in connection 

group permissions, access control lists, and the like), while Wlth an HTTP P rox r> superuser privileges; and object rights 

machines outside the perimeter are substantially or entirely and P ro P ert y n S hts w L mch "PPty to properties of an NDS 

denied access 25 °"J ec1, as we ^ as distribution of directory information across 

, , ' ' c , . , . . . c the network through replication. 

With the growth of such secure networks and their infor- „ r . 

_ .. ° . • t _ , . . M a References which mention or discuss these and possibly 

mation content, there is an urgent need to support secure , , , . , 

access by authorized users even when those users log in oi ^ r tools u and techniques are identified and discussed 

from a client machine outside the network security perim- ^elaUve to the present invention in a Petition for Special 

eter. A wide variety of tools and techniques relating to 30 Hamming Procedure filed concurrently with the present 

networks and/or security are known, at least individually a PP^ation. To the extent that the Petition describes the 

and to at least some extent, including: computer network techmcal background of the invention as opposed to the 

architectures including at least transport and session layers, mve " Uon the * ext of the Petition s incorporated herein 

sockets, clients, and servers; hyperlinks and uniform/ ?y this reference. This incorporation by reference ^does not 

universal resource locators (URLs); communications links 35 that the claimed invenll0n was Piously known, 

such as Internet connections and LAN connections; proxy Although a wide variety of tools and techniques relating 

servers for HTTP and some other protocols; internetwork- t0 networks and/or security are known, it has not previously 

ing; Kerberos authentication; authentication through certifi- been known how t0 combine them to provide clients outside 

cates exchanged during an SSL handshake; tying certificates a network Perimeter with sufficiently convenient, 

to access control lists so that users are identified in certifi- 40 efficient, and secure access to Web pages stored on servers 

cates presented during the SSL handshake instead of being the secure network. 

identified by an IP address, DNS name, or useraame and For example, some previous approaches require that the 

password; multiple instances of a server on the same user's name and/or password be sent across a network 

machine in order to serve both insecure and secure docu- communications link in plain text. Other approaches use 

ments; using a single password to log into an entire network 45 onlv a weak form of encryption, such as uuencoding, to 

rather than logging into individual servers; proxy servers as protect the authentication information. In both cases, the 

an example of servers which require user authentication; a authentication information is quite vulnerable to theft and 

secure sockets layer protocol manifestation in URLs, includ- misuse. 

ing protocol identifiers "http://" and "https://"; the use of a As another example, some previous approaches utilized 
specific server port for network communication; various 50 strong encryption but required that special software be 
definitions of VPNs (virtual private networks); "route filter- previously installed on both the client machine which is 
ing" which controls route propagation; Point-to-Point Tun- seeking access and on the server machine which holds the 
neling Protocol (PPTP) and Layer 2 Tunneling Protocol data sought by the client. Such approaches are taken by 
(L2TP); use of encryption technologies to provide the seg- many virtual private networks, as well as by individual 
mentation and virtualization required for VPN connectivity 55 machines configured with public key/private key encryption 
deployed in almost any layer of the protocol stack; transport software such as PGP software. These approaches protect 
or application layer VPNs; basic VPN requirements such as user authentication information and/or the data which is 
user authentication, address management, data encryption, transmitted after a user is authenticated, but they are not 
key management, and multiprotocol support; tunneling by sufficiently convenient and efficient, 
packet encapsulation, packet transmission, and packet unen- 60 In particular, virtual private networks require significant 
capsulation; Lightweight Directory Access Protocol; a split administrative effort and vigilant attention to details in order 
proxy system for a protected computer network; translation to avoid problems arising from incorrect or inconsistent 
between transport layer protocols; translation between IP configurations. Moreover, widely used Web browsers' such 
and non-IP protocols; a proxy server within a network which as those available from Netscape and Microsoft do not 
receives a request for a protected Web resource from a 65 normally include full support for either virtual private net- 
browser outside the network and requires authentication of working or application -level encryption software such as 
the browser to the proxy using some'eombination of a user PGP software. 
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Accordingly, it would be an advancement in the art to HTTP redirection and SSL software (in novel ways) to 

improve the tools and techniques that are available to provide secure authentication of a user from an external 

provide a user who is presently at a client outside the client and to provide secure transmission of confidential data 

perimeter of a secure network with convenient, efficient, and between the target server and the external client, 

secure access to data stored on a server located within the 5 By transforming non-secure URLs into secure URLs, the 

secure network. invention forces continued use of secure communications 

Such improvements to secure network access are dis- despite the inherent security problems caused by the lack of 

closed and claimed herein. state information in HTTP. HTTP servers and browsers do 

not ordinarily "remember" security requirements from one 

BRIEF SUMMARY OF THE INVENTION 10 Web pa g e transmission to the next without some assistance. 

In one embodiment, the present invention provides a Accordingly, the present invention forces use of H IT PS or 

distributed computing system which allows secure external a similar secure connection each time the user follows an 

access to a secure network such as a secure intranet. The URL to confidential data. In addition, the invention provides 

system includes a target server within the secure network; a security without requiring the installation of new client or 

border server within the secure network; a client outside the 35 target server software. Other features and advantages of the 

secure network; a user authentication system located at least invention, and embodiments of the invention in methods, 

partially within the secure network; and a uniform resource storage media, and signals, will all become more fully 

locator transformer. apparent through the following description. 

The border server is connectable to the target server by a DESCRIPTION OF THF DRAWINGS 

first communications link, such as an intranet or Ethernet 20 BRIfc * DESCRIPHON Q b IHh DRAWINGS 

link. The client is connectable to the border server by a t 0 illustrate the manner in which the advantages and 

second communications link, such as a TCP/IP link. The features of the invention are obtained, a more particular 

client and the border server are configured to support secure description of the invention will be given with reference to 

sockets layer communication over the second communica- ^ me attached drawings. These drawings only illustrate 

tions link using SSL or similar software, selected aspects of the invention and thus do not limit the 

The secure network is configured with authentication invention's scope. In the drawings: 

software and supporting data to allow direct access to the FIG. 1 is a diagram illustrating a secure network, a client 

target server by a user only after the user is authenticated by outside the Detworkt and severa i aspec ts of the present 

the user authentication system. Typically, the user could ^ invention which allow secure communication between the 

readily log onto the network from an internal client at work, client and the network 

and the security questions addressed by the invention arise aiustrali melhods of , he 

because the user wishes to log on through an external client oresen t invention 

at home or in the field rather than an internal one at work. p ' 

™ . ( /Imn , f ,. fi FIG. 3 is a diagram further illustrating one embodiment of 

The uniform resource locator (URL) transformer modifies 35 . , 6 , , . & CI „ . 

. r . *r the client and secure network shown in FIG. 1. 

non-secure uniform resource locators in data being sent from 

the target server to the client by replacing them with FIG. 4 is a diagram further illustrating another embodi- 

corresponding secure URLs to promote continued use of ment of the client secure network shown in FIG. 1. 
secure sockets layer communication. The URL transformer 

is an "SSL-izer". For instance, the URL transformer may 40 
replace instances of "http" which refer to locations inside the 

secure network 100 by corresponding instances of "https" The present invention relates to methods, systems, 

which refer to the same locations. The modifications to the signals, and devices for providing a user located outside a 

data promote continued use of a secure connection such as network with convenient, efficient, and secure access 

an SSL connection. An URL transformer may be located on 45 t0 data stored within the network. In particular, the invention 

the border server, on the target server, or both. If the URL provides and uses novel modifications to uniform resource 

transformer is located on the target server, the system may locators (sometimes called "universal resource locators" or 

include tunneling software for tunneling secure data (which "URLs") to protect user authentication information and to 

was transformed into secure form at the target server) protect data such as intranet Web pages which are sent to the 

between the client and the target server through the border 50 uscr f rom within the secure network. Various components of 

server, the invention and its environment are discussed below. 

* The border server and/or target server may include one or Network and Computer Architecture 

more data caches. For instance, in one configuration the One of the many secure computer networks suited for use 

border server has a cache that holds data from the target with the present invention is indicated at 100 in FIG. 1. The 

server which contains non-secure URLs, and the URL 55 secure network 100 has a security perimeter 102 which is 

transformer introduces secure URLs on the fly without defined by firewall software, routing limitations, encryption 

requiring that the transformed data also be cached on the and/or other means familiar to those of skill in the art. 

border server. In another configuration, a border server Authorized users can log into particular servers and/or to the 

cache includes a non-secure data cache for internal clients network as a whole from clients within the security perim- 

and a secure data cache for external clients. The non-secure 60 eter and access data of the network 100 subject only to 

data cache holds data that contains non-secure URLs, and permissions, database locks, and the like, whereas attempts 

the secure data cache holds data that does not contain any by the same authorized users to access the same data from 

non-secure URLs. In yet another configuration, the border outside the perimeter 102 are generally not allowed (at least, 

server cache is simply free of data that contains non-secure not without the invention or similar functionality). 

URLs. 65 A wide variety of secure networks 100 may be configured 

In short, systems according to the invention use novel according to the invention, including both individual com- 

URL transformation and more familiar mechanisms such as puter networks and larger networks which are aggregations 
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of smaller networks. For example, suitable computer net- may be embodied in such "wires" and/or in the addressable 
works 100 include local area networks, wide area networks, storage media (volatile and/or nonvolatile). In addition to 
and/or portions of the Internet such as a private Internet, a the servers 104, 106 and any internal client computers, the 
secure Internet, a value-added network, or a virtual private secure network 100 may include other equipment such as 
network. The secure network 100 may also include or 5 printers, plotters, and/or disk arrays. Although particular 
consist of a secure intranet, which is a secure network that individual and network computer systems and components 
employs TCP/IP and/or HTTP protocols internally. are shown, those of skill in the art will appreciate that the 
In one embodiment, the secure network 100 includes present invention also works with a variety of other net- 
Novell NetWare® network operating system software works and computers. 

(NETWARE is a registered trademark of Novell, Inc.). In 10 One or more of the servers 104, 106 and internal clients 
alternative embodiments, the secure network 100 includes may be capable of using floppy drives, tape drives, optical 
NetWare Connect Services, VINES, Windows NT, Windows drives or other means to read a storage medium. A suitable 
95, Windows 98, Windows 2000, LAN Manager, or LAN- storage medium includes a magnetic, optical, or other 
tastic network operating system software and/or an imple- computer-readable storage device having a specific physical 
mentation of a distributed hierarchical partitioned object 15 substrate configuration. Suitable storage devices include 
database according to the X.500 protocol such as Novell floppy disks, hard disks, tape, CD-ROMs, PROMs, RAM 
Directory Services or Lightweight Directory Access Proto- and other computer system storage devices. The substrate 
col (LDAP) directory services (VINES is a trademark of configuration represents data and instructions which cause 
Banyan Systems; NT, WINDOWS 95, WINDOWS 2000, the computer system to operate in a specific and predefined 
and LAN MANAGER are trademarks of Microsoft Corpo- 20 manner as described herein. Thus, the medium tangibly 
ration; LANTASTIC is a trademark of Artisoft). The secure embodies a program, functions, and/or instructions that are 
network 100 may be connectable to other networks, includ- executable by the servers 104, 106 and/or clients to perform 
ing other LANs or portions of the Internet or an intranet, secure network access steps of the present invention sub- 
through a gateway or similar mechanism. stantially as described herein. 

The secure network 100 includes one or more file or 25 The illustrated novel configurations also include an exter- 

object or Web servers such as a target server 104, The secure nal client 112 which resides (at least initially) outside the 

network 100 also includes at least one border server 106. security perimeter 102. The external client 112 may be a 

The target server 104 and the border server 106 will often single workstation, for instance, or another machine of the 

run on separate machines, but they may be merely separate types discussed above in reference to internal clients, 

processes which share one machine. 30 Indeed, internal clients and external clients may differ 

In the illustrated configuration, the border server 106 merely in physical location and in the fact that internal 

includes an URL transformer 108 and one or more caches clients have ready access to data stored on the target server 

110. As discussed in greater detail below, the URL trans- 104 without the present invention while external clients gain 

former 108 modifies uniform resource locators (URLs) to access through the invention. The external client 112 may 

protect the confidentiality of data sent to a user outside the 35 also be a server which provides secure access between the 

secure network 100. The caches 110 are also discussed secure network 100 and one or more secondary clients 114 

below. on a network 116 which is served by and/or accessed 

The secure network 100 may include additional servers through the client 112. 

and zero or more internal clients. The servers and the Operation 

internal clients (if any) within the secure network 100 are 40 With continued reference to FIG. 1 and with reference to 

connected by network signal lines to permit communications FIG. 2 as well, the invention operates generally in the 

links between them in the form of network connections. In following manner. During a requesting step 120, the external 

addition to their functionality as described herein, one or client 112 requests access to data which is stored on the 

more of the servers 104, 106 may also be configured by target server 104. From the perspective of the target server 

those of skill in the art in a wide variety of ways to operate 45 104, this involves receiving a request during a step 200. 

as Internet servers, as intranet servers, as proxy servers, as By checking the IP address from which the request was 

directory service providers or name servers, as software . made, communicating with the firewall software, or other 

component or other object servers, or as a combination familiar means, the target server 104 determines that the 

thereof. A given computer may function both as an internal request came from outside the security parameter 102. 

client and as a server; this may occur, for instance, in 50 Accordingly, the target server 104 does not simply provide 

peer-to-peer networks or on computers running Microsoft the requested data. Of course, even if the request came from 

Windows NT or Windows 2000 software. The servers 104, inside the security parameter 102, the target server would 

106 may be uniprocessor or multiprocessor machines. The generally check user permissions against access control lists 

servers 104, 106 and internal clients (if any) each, include an associated with the data, or take other steps to make sure the 

addressable storage medium such as random access memory 55 requesting user is entitled to access the requested data before 

and/or a nonvolatile storage medium such as a magnetic or providing that data. User permissions, access control lists, 

optical disk. labels, and similar security controls which have a granularity 

Suitable network 100 internal clients include, without smaller than the security perimeter 102 may continue to be 

limitation, personal computers, laptops, workstations, dis- used in combination with the security constraints described 

connectable mobile computers, mainframes, information 60 herein. 

appliances, personal digital assistants, and other handheld In one embodiment, a redirector on the border server 106 

and/or embedded processing systems. The signal lines redirects the request from the client 112 to the border server 

which support communications links to the servers 104, 106 106 during a step 122. The border server 106 is advertised 

may include twisted pair, coaxial, or optical fiber cables, as the target server 104. In practice, the border server 106 

telephone lines, satellites, microwave relays, modulated AC 65 will often be on a separate machine than the target server 

power lines, and other data transmission "wires" known to 104, but those of skill in the art will appreciate that the target 

those of skill in the art. Signals according to the invention server 104 and the border server 106 may also run on the 
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same machine. The redirection may be accomplished using 
redirection capabilities which are part of the HTTP protocol. 
These redirection capabilities are conventionally used to 
automatically redirect Web browsers when a Web site has 
moved, that is, when the URL for the Web site has changed. 5 
In the context of the present convention, the Web site for 
which access is sought has not moved, in that the desired 
data still resides on the target server 104, Instead, HTTP 
redirection provides a convenient and efficient tool for 
sending requests from external clients to the border server 10 
106 to maintain security as described herein. 

For example, assume that the target server 104 is identi- 
fied by the URL "http://www.Novell.com". The redirection 
step 122 might return the following URL to the external 
client 112: 15 

https ://Bo rdc rMan ager :443 ?" hup ://www. Novell . co m" 

(for authentication), or it might return the URL: 

https ://BorderManager:443?" https://www.Nove 11. com: 443" ^0 

(authentication and force through the SSL-izer). Several 
things are worth noting in such a redirection URL signal. 

First, the redirection signal seeks to change the protocol 
from HTTP to HTTPS. As those of skill in the art will 25 
recognize, the HTTPS protocol uses secure sockets layer 
communication. A familiar embodiment of secure sockets 
layer communication is provided by SSL software operating 
according to U.S. Pat. No. 5,825,890 assigned to Netscape 
Communications Corporation. However, as used herein the 30 
term "secure sockets layer communication" is not limited to 
SSL connections but instead includes any form of network 
communication which utilizes encryption in TCP/IP sockets 
and which is widely available in Web browsers and the 
servers with which those browsers communicate. 35 

Second, the redirection signal refers to the border server 
106 as "BorderManager" in deference to the BorderManager 
product line from Novell, Inc. (BorderManager is a mark of 
Novell, Inc.). Those of skill in the art will understand that the 
border server 106 need not be a Novell BorderManager 40 
server, but need merely operate as claimed herein. 

Third, the redirection signal refers to port 443 of the 
border server 106. Those of skill in the art will appreciate 
that other ports may also be used, through a port override, 
for instance. Moreover, redirection need not utilize a dedi- 45 
cated port; it is simply convenient in many cases to do so. 

Fourth, in its most general form, the redirection signal 
simply includes a delimited non-secure URL adjoined to a 
secure URL. The non-secure URL http://www.Novell.com 
identifies the target server 104, while the secure URL 50 
https ://BorderManager identifies the border server 106. To 
conform with HTTP syntax, the non -secure URL is delim- 
ited in the example redirection signal by double quotes; 
other delimiters may be used with other protocols. The 
non-secure URL is non -secure because it does not require 55 
use of a secure connection such as a secure sockets layer or 
SSL link; the secure URL is secure because it does require 
such a secure connection. 

Fifth, those of skill in the art will appreciate that directory 
path names and filenames may be appended to these 60 
examples to identify specific Web pages or other protected 
resources. For instance, the original request may have been 
for the web page which is located at "http:// 
www.Novell.com/~hashem/foo_design.htm". 

Sixth, those of skill in the art will also appreciate that FTP 65 
files, gopher resources, and other data on the target server 
104 may be handled in a similar manner. 
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Finally, those of skill in the art will appreciate that a wide 
variety of signal field orderings, data sizes, and data 
encodings, and other variations are possible. The inventive 
signals may also be embodied in a system in various media. 
For instance, they may take the form of data stored on a disk 
or in RAM memory, or the form of signals on network 
communication lines. Some embodiments will include all 
signal elements discussed above, while others omit and/or 
supplement those elements. However, the distinctive fea- 
tures of the invention, as set forth in the appended claims, 
will be apparent in each embodiment to those of skill in the 
art. 

During a step 124, a secure connection is formed between 
the border server 106 and the external client 112. This 
connection may be, for instance, an SSL connection formed 
in response to use of "https" as a protocol indicator in a 
request from the client 112 to the border server 106. For 
convenience, reference is made primarily to connections 
with a user of the external client 112. However, as noted 
earlier the client 112 may itself be a server or another node 
in a communications path between a user who is located at 
another machine 114 and who is seeking access to target 
server 104 data. 

As indicated in FIG. 2, in some cases the external client 
112 may contact the border server 106 directly so that no 
redirection is needed. That is, the initial request for access to 
the target server 104 may be directed to the border server 
106 to save time. Moreover, the initial request may be 
combined with a request for a secure connection as dis- 
cussed with reference to step 124. 

Alternatively, the secure connection may be formed dur- 
ing step 124 before a specific request is made to the target 
server 104 despite the fact that step 200 is shown above step 
124 in FIG. 2, More generally, steps according to the present 
invention may be performed in a variety of orders and the 
execution of steps may overlap when the result of one step 
is not required by another step. Steps may also be omitted, 
renamed, repeated, or grouped differently than shown, pro- 
vided they accomplish the claimed process. 

During a step 126, the user is authenticated to the secure 
network 100. This generally involves transmitting user 
authentication information over the secure connection from 
the client 112 to the border server 106, verifying the infor- 
mation within the secure network 100, and notifying the user 
that the authentication information has been accepted as 
valid. This may be accomplished in various ways. 

For instance, some embodiments use an HTML page with 
scripts, or a Java applet, to present the user with a login 
screen. The user enters a user name and a corresponding 
password in fields shown on the login screen. The usemame 
and password are then transmitted over the secure connec- 
tion to the border server 106, which passes them in turn to 
an authentication system within the secure network 100. If 
the username and password are validated by the authenti- 
cation system, the border server 106 so notifies the user, and 
the user is then granted access to secure network 100 data as 
described herein (subject to permissions and the like). 

In one embodiment which utilizes Novell NDS software 
140, the username and user password presented by the user 
are that user's regular NDS name and password, which the 
user would typically present when logging into the secure 
network 100 from an internal client. The user need not 
manage a separate username and/or password in order to 
login from an external client. The login screen presented to 
the user may also include contextual information, such as the 
user's context within an NDS tree. The border server 106 
presents the NDS username and password to the familiar 



03/30/2004, EAST version: 1.4.1 



6,081, 

9 

NDS user authentication system, and looks to that authen- 
tication system for rejection or validation of the authentica- 
tion information. Instead of using a Novell Directory Ser- 
vices database 140, or in addition to that database, the user 
authentication system may include a Microsoft Windows NT 5 
Domain directory 140. An embodiment of the invention 
which does not utilize NDS software may also authenticate 
a user to all servers in the secure network 100 after recog- 
nizing a single user name and a single corresponding user 
password. 10 

During a step 128, non-secure data 130 is transmitted 
from the target server 104 to the border server 106, where it 
will be modified to promote continued security and then 
forwarded to the external client 112 during a transmitting 
step 132. In one embodiment, the transmitting step 128 is 
includes a preliminary act and one or more subsequent 
repeated acts, as follows. 

The preliminary act within the transmitting step 128 is to 
direct (or redirect) the external client 112 to the target server 
104, and to promote use of a secure connection in so doing 20 
by making a secure connection the default. This may be done 
by using the HTTP redirection capability in combination 
with substitution of "https" for "http" in the URL which 
identifies the target server 104 data sought by the external 
client 112. In the example above, the original request from 25 
the external client 112 was for data at "http:// 
www.Novell.com" so the redirection back to the target 
server 104 (after the user is authenticated to the secure 
network 100 during step 126) would seek data at "https:// 
www.Novell.com" with directory and path names appended 30 
as in the original request. 

The possibly repeated acts within the transmitting step 
128 involve sending one or more Web pages, files, or other 
pieces of non -secure data 130 from the target server 104 to 
the border server 106. The data 130 is non-secure in that it 35 
includes hypertext links, URLs, or other references which, if 
presented by the external client 112 to the secure network 
100, would not necessarily require use of a secure connec- 
tion such as an SSL connection and which might allow 
non-secure access to protected network 100 data. For 40 
instance, Web pages which contain URLs specifying 
"http://" rather than "https://" in reference to data stored on 
the target server 104 are examples of non-secure data 130. 

During an optional caching step 202, the non-secure data 
130 may be cached in a cache 110 at the border server 106. 45 
Caching tools and techniques familiar in the art may be used; 
caching is discussed further below. 

During a transforming step 204, the non-secure data 130 
is transformed into secure data 134 by an URL transformer 
108 which replaces non-secure URLs with corresponding 50 
secure URLs. For instance, the URL transformer 108 may 
employ familiar string search-and-replace algorithms to 
replace each instance of the string "http" which is tagged in 
HTML data 130 as an URL protocol indicator by the string 
"https". As noted, similar steps may be taken with FTP and 55 
other protocol indicators. 

Care should be taken to avoid replacing string instances 
which are not being used within an URL as a protocol 
indicator. For example, instances of the string "http" in the 
text of this patent application would not be replaced, nor 60 
would instances which are being used as part of a directory 
path or a filename rather than a protocol indicator, because 
such replacements would not promote continued use of 
secure sockets layer communication. 

Like other elements of the present invention, the trans- 65 
former 108 may be implemented using the teachings pre- 
sented here with programming languages and tools such as 
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Java, Pascal, C++, C, Perl, shell scripts, assembly, firmware, 
microcode, logic arrays, PALs, ASICs, PROMS, and/or 
other languages, circuits, or tools as deemed appropriate by 
those of skill in the art. 

During an optional caching step 206, the secure data 134 
may be cached, using caching tools and techniques familiar 
in the art. Either, both, or neither of the caching steps 202, 
206 may be present in a given embodiment. That is, the 
border server 106 may include zero, one, or two caches 110. 

For instance, the non-secure data 130 may be stored in 
one cache 110 while the secure data 134 is stored in another 
cache 110. Secure data 134 is transmitted during a step 132 
to external clients 112 from the secure cache 110, while 
non-secure data 130 is provided to internal clients from the 
non-secure cache 110. This split cache configuration pro- 
vides the benefits of caching both to external clients and to 
internal clients, and it does not impose URL transformation 
processing costs on internal clients that only access non- 
secure data 130. 

Another configuration stores data requested by external 
clients in one cache 110 regardless of whether the data has 
also been requested by internal clients, and stores data 
requested only by internal clients in another cache 110. The 
data requested by external clients is stored in its non -secure 
form and its URLs are transformed to create secure data 134 
only as needed before putting data on the wire to an external 
client. The data sent to internal clients may include a mixture 
of non-secure data 130 and secure data 134; during step 132 
only secure data 134 is sent to external clients. 

Alternatively, all data sent to internal and/or external 
clients may be stored in a single cache 110, with URL 
transformation again being performed on-the-fly as needed 
when cached data is to be sent to an external client during 
step 132. Of course, caching may also be simply omitted in 
some embodiments. 

As discussed above, the invention may operate by sending 
non-secure data 130 from the target server 104 to the border 
server 106, where the data is transformed by the URL 
transformer 108 and then transmitted as secure data 134 to 
the external client 112. Several variations on this approach 
are also possible according to the invention. Some involve 
caching alternative discussed above. Other variations alter 
the location or function of the URL transformer 108 and/or 
involve tunneling. 

For example, after the user is authenticated during step 
126 the border server 106 may function merely as a node on 
a path which carries secure data 134 from the target server 
104 to the external client 112. This configuration may be 
appropriate if the target server 104 only holds secure data 
134. Even if the URL transformer 108 rarely or never 
modifies any URLs in practice, it may still be capable of 
performing such modifications in case its filtering function 
does find any non-secure URLs. In addition, or as an 
alternative, the URL transformer 108 may notify an admin- 
istrator if non-secure URLs are found. 

It may also be appropriate for the border server 106 to 
function merely as a data carrier node if an URL transformer 
108 is part of the target server 104 instead of (or in addition 
to) being part of the border server 106. The target server 104 
can then transform any non-secure data 130 into secure data 
134 before forwarding that data 134 to the border server 106 
for subsequent transmission to the external client 112. For 
example, in one embodiment a transmitting step 136 sends 
secure data in tunneling packets 138 to the border server 
106, which then forwards the data 138 to the external client 
112 during a step 132. Familiar tunneling tools and tech- 
niques may be used during step 136 to traasmit data which 



03/30/2004, EAST Version: 1.4.1 



6,081,900 



11 



12 



has been made secure through URL transformation accord- 
ing to the invention. 
Additional Information 

FIGS. 3 and 4 further illustrate the invention. FIG. 3 
shows a configuration containing two target servers 300, 5 
302, illustrating the fact that some embodiments of the 
invention involve two (or more) target servers 104. Thus, 
confidential data 304 to which an external client 112 seeks 
access may be stored in the secure network 100 on one or 
more target servers 104. The protected data 304 may be a 10 
mix of secure (e.g., containing "https" only) data and 
non-secure (e.g. at least one instance of "http" referring to 
data within the secure network 100) data. 

In FIG. 3 the URL transformer 108 is located in the border 
server 106. By contrast, FIG. 4 shows a configuration in 15 
which the URL transformer 108 is part of the target server 
104. Accordingly, the configuration of FIG. 3 assumes that 
non-secure confidential data 304 is sent from the target 
server 104 to the border server 106, transformed at the 
border server 106 by the URL transformer 108, and then 20 
provided to the external client 112. By contrast, the con- 
figuration of FIG. 4 assumes that non-secure confidential 
data 304 is transformed into secure data by the URL 
transformer 108 at the target server 104, after which the 
modified data is sent either directly to the external client 112 25 
(bypassing the border server 106) or indirectly to that client 
112 by way of the border server 106. Indirect transmission 
of secure data from the target server 104 through the border 
server 106 to the external client 112 could utilize, for 
instance, familiar tunneling tools and techniques. 30 

For purposes of illustration, FIG. 3 shows both a non- 
secure data cache 306 and a secure data cache 308 as part of 
the border server 106. As discussed above, however, the 
border server 106 may also be configured according to the 
invention with only one of these two caches 306, 308, or 35 
with a combined cache 110 containing both secure and 
non-secure data, or with no cache 110. Those of skill in the 
art will also appreciate that the target server 104 may also 
include zero or more caches 110. 

The border server 106 includes secure sockets layer 40 
software 310, and the external client 112 includes corre- 
sponding secure sockets layer software 318. As noted above, 
any commercially available software which provides a 
secure connection through encryption at the sockets level 
can be used to form the secure connection provided by the 45 
software 310, 318. Suitable software 310, 318 thus includes 
the SSL software provided commercially by Netscape Cor- 
poration and other vendors. 

The border server 106 also includes management software 
312. In various embodiments, the management software 312 50 
provides some or all of the following functionality to permit 
system operation as discussed herein: handling requests 
which are redirected during step 122 and subsequently 
redirecting the external user back to that target server 104 
after step 124 forms a secure connection and step 126 55 
authenticates the user; invoking the URL transformer 108 as 
necessary to prevent non -secure data from being transmitted 
to an external client 112; managing the caches 110; inter- 
facing with a network user authentication system 316 such 
as the NDS authentication system; logging user and/or 60 
system activity; alerting administrators to possible problems 
such as multiple failed authentication attempts, failed secure 
connection attempts and/or lack of resources such as 
memory or disk space; and-managing information such as 
the IP address and/or session identifier used by a given 65 
external client 112 to make certain that secure data is 
transmitted only to the authenticated user. 



The border server 106 also includes standard network and 
operating system software 314. Suitable networking soft- 
ware 314 includes Novell NetWare software, various TCP/IP 
implementations, Ethernet software, and other commercially 
available networking software. Suitable operating system 
software 314 includes UNIX, Linux, and UNIX variations, 
Microsoft Windows, and other commercially available oper- 
ating system software. 

The client 112 likewise includes networking and operat- 
ing system software 320. Suitable software 320 includes 
commercially available software such as that previously 
mentioned. It is not necessary for the client 112 and the 
border server 106 to be running the same operating system 
and/or the same networking software, so long as a secure 
connection can be formed. For instance, the border server 
106 might use UNIX software while the client 112 runs 
Windows 2000 software, with each using their respective 
SSL software to provide the necessary secure connection. 

The client 112 includes an application program or some 
other piece of requesting software 322 which makes the 
access request during step 120. Requests may be prompted 
by human users and/or by system tasks or threads. The 
software 322 which seeks access to confidential data 304 
from outside the security perimeter 102 will often be a Web 
browser. However, the present invention also provides 
secure access to other types of requesting software, includ- 
ing without limitation: indexing programs, search programs, 
database-building tools, archival tools, administrative tools, 
collaborative writing tools, multimedia conferencing 
software, and lower- level software such as file system 
software, operating system software, and/or networking 
software. 

The client 112 also contains user authentication informa- 
tion 324. As noted above, the authentication information 324 
which is used to authenticate the user and/or client to the 
network 100 during step 126 will often include a user name 
and a corresponding user password. These are preferably the 
same name and password used by the authorized user to log 
into an internal client of the secure network 100. In place of, 
or in addition to a user name and password, the authentica- 
tion information may include certificates, tokens, public 
keys, and/or data from authentication tools such as biometric 
scans, voice prints, retinal scans, fingerprint scans, magnetic 
card reader results, and so on. A wide variety of suitable 
authentication information is familiar to those of skill in the 
art. 

The configuration shown in FIG. 4 has much in common 
with the configuration shown in FIG. 3, at least with respect 
to many of the individual components. For instance, the 
comments made above regarding the confidential data 304, 
the caches 110, the URL transformer 108, the secure sockets 
layer software 310, 318, the network and operating system 
software 314, 320, the requesting software 322, the network 
user authentication system 316, and the user authentication 
information 324 apply to both Figures. 

However, the functionality of the management software 
312 on the border server 106 may be divided in the con- 
figuration of FIG. 4 between management and tunneling 
software 400 in the target server 104 and management and 
tunneling software 402 in the border server 106. The man- 
agement software 312 functionality may also be supple- 
mented by tunneling functionality. Suitable tunneling func- 
tionality is available through the literature and commercially 
available tunneling implementations. 

The software 400 may also include the redirector for 
redirecting to the border server 106 the request made by the 
client 112 for direct access to the target server 104. This 
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allows user authentication during step 126 to be performed 
by the border server 106 while URL transformation and data 
transmission are performed by the target server 104 and/or 
by the target server 104 in combination with the border 
server 106. 5 
Summary 

The present invention uses novel URL transformations 
and/or more familiar mechanisms such as HTTP redirection 
and SSL software to provide secure authentication of a user 
from an external client and to then provide secure transmis- 10 
sion of confidential data between the target server and the 
external client. By transforming non-secure URLs into 
secure URLs, the invention forces continued use of secure 
communications despite the inherent security problems of 
HTTP, These problems arise from the fact that HTTP does 15 
not normally "remember" security requirements from one 
Web page transmission to the next. The present invention 
forces use of a secure connection each time the user follows 
an URL to confidential data. Moreover, the invention pro- 
vides this security without requiring any additional distri- 20 
bution or installation of client software onto the external 
client(s) beyond that which is already widely used. 

Although particular methods and signal formats embody- 
ing the present invention are expressly described herein, it 
will be appreciated that system and storage media embodi- 25 
ments may also be formed according to the signals and 
methods of the present invention. Unless otherwise 
expressly indicted, the description herein of methods and 
signals of the present invention therefore extends to corre- 
sponding systems and storage media, and the description of 30 
systems and storage media of the present invention extends 
likewise to corresponding methods and signals. 

As used herein, terms such as "a" and "the" and item 
designations such as "URL" are inclusive of one or more of 
the indicated item. In particular, in the claims a reference to 35 
an item means at least one such item is required. When 
exactly one item is intended, this document will state that 
requirement expressly. 

The invention may be embodied in other specific forms 
without departing from its essential characteristics. The 40 
described embodiments are to be considered in all respects 
only as illustrative and not restrictive. Headings are for 
convenience only. The scope of the invention is, therefore, 
indicated by the appended claims rather than by the fore- 
going description. All changes which come within the mean- 45 
ing and range of equivalency of the claims are to be 
embraced within their scope. 

What is claimed and desired to be secured by patent is: 

1. A distributed computing system allowing secure exter- 
nal access to a secure network, the system comprising: 50 

a target server within the secure network; 

a border server within the secure network, the border 
server connectable to the target server by a first com- 
munications link; 

a client outside the secure network, the client connectable 
to the border server by a second communications link, 
the client and the border server configured to support 
secure sockets layer communication over the second 
communications link; 

60 

a user authentication system located at least partially 
within the secure network, the secure network config- 
ured to allow direct access to the target server by a user 
only after the user is authenticated by the user authen- 
tication system; and 65 

a uniform resource locator transformer which modifies 
non-secure uniform resource locators in data being sent 
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from the target server to the client by replacing them 
with corresponding secure uniform resource locators to 
promote continued use of secure sockets layer commu- 
nication. 

2. The system of claim 1, wherein the uniform resource 
locator transformer is located on the border server. 

3. The system of claim 1, wherein the uniform resource 
locator transformer is located on the target server and the 
system further comprises tunneling software for tunneling 
between the client and the target server through the border 
server. 

4. The system of claim 1, wherein the secure network is 
configured to allow direct access to the target server from 
network addresses within the secure network while denying 
direct access to the target server from network addresses 
outside the secure network. 

5. The system of claim 1, wherein the secure network 
includes a secured intranet. 

6. The system of claim 1, wherein the client is a multi-user 
client. 

7. The system of claim 6, wherein at least two user 
workstations are connected to the client. 

8. The system of claim 1, wherein the user authentication 
system includes a directory services database. 

9. The system of claim 1, wherein the user authentication 
system includes a domain directory. 

10. The system of claim 1, wherein the user authentication 
system authenticates the user to all servers in the secure 
network after recognizing a single user name and a single 
corresponding user password. 

11. The system of claim 1, further comprising a redirector 
for redirecting to the border server a request made by the 
client for direct access to the target server. 

12. The system of claim 1, wherein the border server' 
includes at least one cache. 

13. The system of claim 12, wherein the border server 
cache includes data from the target server which contains 
non-secure uniform resource locators, and the uniform 
resource locator transformer introduces secure uniform 
resource locators on the fly without requiring that the 
transformed data also be cached on the border server. 

14. The system of claim 12, wherein the border server 
cache includes a non-secure data cache for internal clients 
and a secure data cache for external clients, the non -secure 
data cache holding data that contains non-secure uniform 
resource locators, and the secure data cache holding data that 
does not contain non-secure uniform resource locators. 

15. The system of claim 12, wherein the border server 
cache is free of data that contains non-secure uniform 
resource locators. 

16. A method for providing access to a secure network, the 
method comprising the steps of: 

receiving a request for access to a target server which is 
within the secure network, the access request having 
been made by a user outside the secure network; 

forming a secure sockets layer connection between the 
user and a border server which is within the secure 
network; 

using the secure sockets layer connection and a user 
authentication system of the secure network to authen- 
ticate the user to the secure network; 

modifying data by replacing non-secure uniform resource 
locators in the data with corresponding secure uniform 
resource locators which promote continued use of 
secure sockets layer communication; and 

transmitting the modified data to the user over a secure 
sockets layer connection. 
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11. The method of claim 16, wherein the modifying step 
is preceded by the step of transmitting the data to be 
modified from the target server to the border server in 
response to the access request, and the modifying step is 
performed at the border server. 5 

18. The method of claim 17, further comprising the step 
of caching data on the border server. 

19. The method of claim 16, wherein the modifying step 
is performed at the target server, and the transmitting step 
transmits the modified data to the user over a secure sockets 10 
layer connection which tunnels through the border server. 

20. The method of claim 16, wherein the receiving step 
includes receiving the access request at the target server and 
the method further comprises the step of redirecting the 
request to the border server before the forming step. is 

21. The method of claim 16, wherein the forming step 
includes storing an IP address which indicates the current 
location of the user, and the step of transmitting the modified 
data' to the user transmits the data only to that same IP 
address. 20 

22. The method of claim 16, wherein the forming step 
forms an SSL connection. 

23. The method of claim 16, wherein the using step 
includes obtaining from the user a user name and a user 
password. 25 

24. The method of claim 16, wherein the step of modi- 
fying the data includes replacing the string "http" with the 
string "https" in at least one uniform resource locator. 

25. A computer storage medium having a configuration 
that represents data and instructions which will cause per- 30 
formance of method steps for providing access to a secure 
network, the method comprising the steps of: 

receiving at a target server which is within the secure 
network a request for access to the target server, the 
access request having been made by a user outside the 35 
secure network; 

redirecting the request to a border server which is within 
the secure network; 
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forming a secure connection between the user and the 
border server, the secure connection utilizing at least a 
transport layer protocol and lower level protocols, 
security in the connection being provided at least by 
encryption performed above the transport layer proto- 
col; 

using the secure connection and a user authentication 
system of the secure network to authenticate the user to 
the secure network; 

modifying data by replacing non-secure uniform resource 
locators in the data with corresponding secure uniform 
resource locators which promote continued use of 
secure communication; and 

transmitting the modified data to the user over a secure 
connection. 

26. The configured storage medium of claim 25, wherein 
the forming step includes storing an IP address and a session 
identifier which collectively indicate the current location of 
the user, and the step of transmitting the modified data to the 
user transmits the data only to that same IP address and 
session. 

27. The configured storage medium of claim 25, wherein 
the using step includes obtaining from the user a user name 
and password for network-wide authentication, 

28. The configured storage medium of claim 25, wherein 
the modifying step is preceded by the step of transmitting the 
data to be modified from the target server to the border 
server in response to the access request, and the modifying 
step is performed at the border server. 

29. The configured storage medium of claim 28, wherein 
the method further comprises the step of caching data on the 
border server, 

30. The configured storage medium of claim 25, wherein 
the modifying step is performed at the target server, and the 
transmitting step transmits the modified data to the user over 
a secure sockets layer connection which tunnels through the 
border server. 

***** 



03/30/2004, EAST Version: 1.4.1 



